Common Weakness Enumeration

CWE-281

Allowed

Improper Preservation of Permissions

Abstraction: Base · Status: Draft

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

432 vulnerabilities reference this CWE, most recent first.

GHSA-MXM2-2266-373H

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-05T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred",
  "id": "GHSA-mxm2-2266-373h",
  "modified": "2022-05-24T19:19:54Z",
  "published": "2022-05-24T19:19:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39897"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1330806"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39897.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/341017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MXMG-V768-HH7W

Vulnerability from github – Published: 2024-03-25 09:32 – Updated: 2024-08-23 00:31
VLAI
Details

Anope before 2.0.15 does not prevent resetting the password of a suspended account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-25T08:15:36Z",
    "severity": "MODERATE"
  },
  "details": "Anope before 2.0.15 does not prevent resetting the password of a suspended account.",
  "id": "GHSA-mxmg-v768-hh7w",
  "modified": "2024-08-23T00:31:38Z",
  "published": "2024-03-25T09:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anope/anope/issues/351"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anope/anope/commit/2b7872139c40ea5b0ca96c1d6595b7d5f9fa60a5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P2QJ-5M9H-FFXQ

Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-10 00:00
VLAI
Details

There is a Permission control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a Permission control vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may affect service availability.",
  "id": "GHSA-p2qj-5m9h-ffxq",
  "modified": "2021-12-10T00:00:57Z",
  "published": "2021-12-09T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37044"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2021/9"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P487-45R6-V8FH

Vulnerability from github – Published: 2025-03-12 18:32 – Updated: 2025-03-12 18:32
VLAI
Details

An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the [/tnexus/rest/admin/updateUser] API endpoint

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-12T16:15:23Z",
    "severity": "HIGH"
  },
  "details": "An issue in dtp.ae tNexus Airport View v.2.8 allows a remote attacker to escalate privileges via the ProfileID value to the [/tnexus/rest/admin/updateUser] API endpoint",
  "id": "GHSA-p487-45r6-v8fh",
  "modified": "2025-03-12T18:32:53Z",
  "published": "2025-03-12T18:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25711"
    },
    {
      "type": "WEB",
      "url": "https://github.com/z5jt/vulnerability-research/tree/main/CVE-2025-25710"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4HJ-VWJ4-2JJ3

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Insecure inherited permissions in the installer for the Intel(R) VTune(TM) Profiler before version 2021.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Insecure inherited permissions in the installer for the Intel(R) VTune(TM) Profiler before version 2021.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-p4hj-vwj4-2jj3",
  "modified": "2022-05-24T19:04:25Z",
  "published": "2022-05-24T19:04:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0077"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00518.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6RW-52M8-833J

Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30
VLAI
Details

Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: Security). Supported versions that are affected are 7.4.0, 7.4.1 and 7.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Order and Service Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Order and Service Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Order and Service Management accessible data as well as unauthorized read access to a subset of Oracle Communications Order and Service Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T21:15:20Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: Security).  Supported versions that are affected are 7.4.0, 7.4.1 and  7.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Communications Order and Service Management.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Order and Service Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Communications Order and Service Management accessible data as well as  unauthorized read access to a subset of Oracle Communications Order and Service Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).",
  "id": "GHSA-p6rw-52m8-833j",
  "modified": "2025-01-21T21:30:56Z",
  "published": "2025-01-21T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21544"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P859-WC97-3523

Vulnerability from github – Published: 2024-08-12 15:30 – Updated: 2025-11-04 00:31
VLAI
Details

User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-12T13:38:15Z",
    "severity": "MODERATE"
  },
  "details": "User with no permission to any of the Hosts can access and view host count \u0026 other statistics through System Information Widget in Global View Dashboard.",
  "id": "GHSA-p859-wc97-3523",
  "modified": "2025-11-04T00:31:11Z",
  "published": "2024-08-12T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22114"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://support.zabbix.com/browse/ZBX-25015"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P863-P79F-QM33

Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31
VLAI
Details

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T00:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data.",
  "id": "GHSA-p863-p79f-qm33",
  "modified": "2025-11-04T18:31:24Z",
  "published": "2024-09-17T00:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44188"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121238"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8QJ-J5CG-5P3C

Vulnerability from github – Published: 2025-06-06 06:30 – Updated: 2025-06-06 06:30
VLAI
Details

SystemUI has an incorrect component protection setting, which allows access to specific information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T04:15:48Z",
    "severity": "MODERATE"
  },
  "details": "SystemUI has an incorrect component protection setting, which allows access to specific information.",
  "id": "GHSA-p8qj-j5cg-5p3c",
  "modified": "2025-06-06T06:30:26Z",
  "published": "2025-06-06T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46941"
    },
    {
      "type": "WEB",
      "url": "https://www.vivo.com/en/support/security-advisory-detail?id=17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P96J-2664-MGCR

Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-05-26 18:31
VLAI
Details

NVIDIA Display Driver for Linux contains a vulnerability in a kernel mode layer handler, where a user could cause improper permission handling. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T18:16:38Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA Display Driver for Linux contains a vulnerability in a kernel mode layer handler, where a user could cause improper permission handling. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution.",
  "id": "GHSA-p96j-2664-mgcr",
  "modified": "2026-05-26T18:31:49Z",
  "published": "2026-05-26T18:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24194"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5821"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24194"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.